With the development of cloud services, outsourcing computation tasks to a commercial cloud server has drawn attention of various communities, especially in the Big Data era. Public verifiability offers a flexible functionality in real circumstance where the cloud service provider (CSP) may be untrusted or some malicious users may slander the CSP on purpose. However, sometimes the computational result is sensitive and is supposed to remain undisclosed in the public verification phase, while existing works on publicly verifiable computation (PVC) fail to achieve this requirement. In this paper, we highlight the property of result confidentiality in publicly verifiable computation and present confidentiality-preserving public verifiable computation (CP-PVC) schemes for multivariate polynomial evaluation and matrix-vector multiplication, respectively. The proposed schemes work efficiently under the amortized model and, compared with previous PVC schemes for these computations, achieve confidentiality of computational results, while maintaining the property of public verifiability. The proposed schemes proved to be secure, efficient, and result-confidential. In addition, we provide the algorithms and experimental simulation to show the performance of the proposed schemes, which indicates that our proposal is also acceptable in practice.
National Natural Science Foundation of China61272091617723111. Introduction
Outsourcing computation has been served as a significant service with the rapid development of Cloud Computing Technology. It provides the service purchaser (whom we call user) with constraint computational power to delegate the complicated computational tasks to the service provider (which we call cloud server) and enjoy its unlimited computational resources in a pay-per-use manner. This brings a huge convenience for resource-constraint devices to reduce their computational overhead and thus has attracted significant interests in both industrial and academic communities. A number of large enterprise groups, such as Amazon, Google, and Alibaba, have launched their Cloud Computing to provide computation outsourcing services. What is more, in Big Data era, the ability to deal with the massive data has become core competitiveness while outsourcing computation just fits this demand.
While outsourcing computation paradigm enjoys numerous benefits, it also suffers from rigorous challenges [1]. To begin with, since the cloud server is commercialized, sometimes it may not perform the computation honestly but output a computationally indistinguishable result in order to save its cost for more interests. Therefore, a basic requirement of outsourcing computation is to assure the correctness of the computational result. In other words, the user should have a way to verify the correctness of the output from the cloud server with an overwhelming probability. Despite the untrustworthy of cloud server, misbehavior may also happen from the user side. For example, a malicious user may deliberately claim the output from the cloud server incorrect and slander the cloud service provider by this even if the cloud server has performed the computation honestly. This is due to the fact that verification is done in a private manner. Therefore, it is preferable that the verification can be done publicly. That is to say, anyone except the user himself is able to verify the output from the cloud server. With public verification, not only cannot the cloud server cheat with an incorrect output, but also the user cannot claim the output from the cloud server incorrect for no reason, because now the output is witnessed and verified by everyone. Secondly, since sometimes the computational result is something sensitive, it needs to be kept secret to any party except the user himself. Thus another challenge of outsourcing computation is to assure confidentiality of the computational result, especially when the output from the cloud server can be verified publicly. Last but not least, the whole workload of the user in certain computation outsourcing procedure must be much less than accomplishing this computation task all by the user himself. We call this the requirement of efficiency. This is essential because if not, the outsourcing will be meaningless.
The evaluation of multivariate polynomials p(x) is one of the most fundamental computational tasks in scientific communities. In practice, there are so many problems that can be reduced to a model of evaluating certain polynomial with multivariate input value, for example, to evaluate an employee’s performance in a company and to evaluate a person’s health condition. Matrix-vector multiplication is another fundamental computational task that is widely applied, for example the Discrete Fourier Transform (DFT) and the Singular Value Decomposition (SVD). And in Big Data era, with the data we need to deal with getting more and more enormous, it is very likely that the storage requirement when evaluating multivariate polynomials or matrix-vector multiplication exceeds the available memory of the user’s computational devices, like cell phones or portable laptop. Thus we need to find another way to fulfill the computational tasks securely and efficiently. Plenty of works have been done to seek secure and efficient schemes of outsourcing computation for polynomials and matrix-vector multiplication. Fiore and Gennaro [2] proposed schemes to securely outsource evaluation of multivariate polynomials and matrix-vector multiplication and verify the corresponding result in a public manner. Unfortunately, one disadvantage of their proposal is the leakage of final result. Anyone is able to verify the correctness of the output from the cloud server and then obtain the result of the target evaluation. This brings a drawback in practice when the result is something sensitive, for example, the year-end bonus of an employee and the health condition of a person.
1.1. Related Works1.1.1. Verifiable Computation
Verifiable computation (VC) was first proposed by Gennaro et al. [3]. In VC, only two parties are involved, the client that processes the input data and the server that evaluates the target function with the value client sends. The output of the server can be verified by the client only. Both the input and output value of the function are private in the whole procedure. Gennaro et al. proposed a concrete VC scheme for arbitrary circuit using Yao’s [4] two-party computation scheme and Gentry’s [5] fully homomorphic encryption (FHE) scheme. After that, different VC schemes using FHE were proposed [6–8]. They made use of various techniques to achieve verifiability. However, applying FHE in practice brings expensive overhead.
To avoid applying FHE and promote efficiency, a lot of papers [9–15] focused on VC schemes for various kinds of computation and had achieved outstanding results.
1.1.2. Publicly Verifiable Computation
Different from VC where the verification is done privately, publicly verifiable computation (PVC) allows anyone to verify the result output by the server. PVC brings more flexible application in the untrusted cloud environment than VC, mainly in two-fold. One is to release the workloads of verification for the client. Another is the supervision of users. This is because if the verification is only done privately, once an incorrect result is claimed, it is hard to tell whether the server misbehaved or the user is intentionally slandering. However if the result can be verified publicly, the user’s slandering is easy to detect. PVC was first proposed by Parno et al. [16]. They constructed a PVC scheme for Boolean functions using KP-ABE schemes. After that, many PVC schemes were proposed [2, 17–19]. In 2012, Fiore et al. [2] proposed a PVC scheme for multivariate polynomial evaluation and matrix multiplication. They took inspiration from Benabbas et al.’s [9] VC scheme to use pseudorandom function that enjoys closed form efficiency to generate the verification key efficiently, and they generalized the function to multivariate case. Moreover, by leveraging the technique of bilinear map, they have improved the verification procedure from private to public manner. With the similar technique, Sun et al. [17] constructed batch verifiable computation schemes with public verification for polynomial and matrix that achieve simultaneously evaluation of multiple functions in one outsourcing phase. In 2016, Elkhiyaoui et al. proposed another solution for univariate polynomial evaluation and matrix multiplication. They leverage the idea of Euclidean division of polynomials to construct the structure of the verifiable computation. And the bilinear map technique is utilized to make the verification able to be public. However, this idea is only suitable for univariate polynomial scenario. What is more, all the schemes mentioned above share the same disadvantage that anyone except for the user that verifies the result will surely obtain its concrete value. This is insecure in practice when the result of certain computation is usually something sensitive and the verification process is supposed to output a judgement to the correctness of the result rather than disclosing the value itself. To overcome this, Alderman et al. [20] improved Parno et al.’s [16] scheme with a secret substitution bit and presented a PVC with key distribution center (KDC) for Boolean functions. They also achieved other properties like revocation based on this PVC with KDC [21, 22], but this way of using secret substitution bit cannot fit other functions that have large range.
1.2. Our Contributions
In this paper, we present a modified PVC model that is considered to be more practical. It captures the confidentiality of the computational result, which we believe is an important property when utilizing in practice.
We present outsourcing schemes for securely and efficiently evaluating high degree multivariate polynomials and matrix-vector multiplication. Compared with existing outsourcing schemes for polynomials [2, 23] and matrix multiplication, our proposal simultaneously captures properties of both public verifiability and result confidentiality. This offers a more flexible application in practice.
We also provide the algorithm for our outsourcing scheme and run some simulated experiments to show the efficiency of the proposed schemes.
This paper is an extension of its corresponding conference version [24]. In the revised version, we extends the CP-PVC scheme to the matrix-vector multiplication case. The resulting scheme proved to achieve not only the properties of polynomial case (i.e., security, public verifiability, and result confidentiality) but also the input privacy. We run corresponding simulated experiments and the result is also acceptable for practice.
1.3. Paper Organization
The remaining parts of the paper are organized as follows. Some necessary preliminaries are provided for the proposed schemes in Section 2. The framework of the proposed CP-PVC protocol is defined in Section 3. The concrete constructions of the CP-PVC schemes for polynomial evaluation and matrix-vector multiplication are presented, analyzed, and simultaneously experimented separately in Sections 4 and 5. The conclusion of the paper is in Section 6.
2. Preliminaries
In this section, we provide some definitions about algebraic pseudorandom function (PRF) with closed form efficiency, bilinear Map, and some related notions. We also provide the computational assumptions that are used for the construction of our schemes.
2.1. Algebraic PRF with Closed Form Efficiency
One of our main techniques is the PRF with closed form efficiency. PRF is a function (denoted by R) that is generated from a secret seed K. It owns the properties of both randomness and computational efficiency. A closed form efficient PRF consists of algorithms (KG, R) that are defined as follows:
KG(1λ)→(K,pp): The randomized key generation algorithm takes as input the security parameter 1λ and outputs a tuple of parameters (K,pp), where K denotes the secret seed and pp denotes the public parameters that specifies the domain X and range Y of the function, respectively.
R(K,x)→y: The deterministic functional computation algorithm takes as input the secret seed K and the value x∈X and computes a value y∈Y. We usually denote it by RK(·).
An algebraic PRF with closed form efficiency must satisfies the following properties:
(Algebraic) A PRF (KG,R) is algebraic if the range Y of RK(·) forms an abelian group. We use multiplication notation for group operation.
(Pseudorandom) A PRF (KG,R) is pseudorandom if for every PPT adversary A, there holds(1)PrARK·1λ,pp=1-PrAr·1λ,pp=1≤ϵ
where (K,pp)←$KG(1λ) and r:X→Y is a random function.
(Closed form efficiency) Let Comp represent arbitrary computation that takes as input l random values r1,…,rl∈Y and a vector of m arbitrary values x=(x1,…,xm). Assume that the fastest algorithm to compute Comp(r1,…,rl,x1,…,xm) takes time t0. Let z=(z1,…,zl) be a tuple of arbitrary values taken from X. Then a PRF (KG,R) is closed form efficient for (Comp, z) if there exists an algorithm CFEvalComp,z such that(2)CFEvalComp,zK,x=CompRKz1,…,RKzl,x1,…,xm
and its running time is o(t0). When z=(1,…,l), we usually omit it from the subscript and write CFEvalComp(K,x) instead.
Here we only show the definition of PRF with closed form efficiency. We will give a concrete algorithm of PRF with closed form efficiency for multivariate polynomials in Section 3.
2.2. Bilinear Map
Our constructions also use bilinear maps. Bilinear pairing is a powerful tool in noninteractive authentication and has been widely applied in both encryption and signature schemes [9, 25]. To be specific, let G1,G2, and GT be finite cyclic multiplicative groups of order p, and let g,h be generators of G1 and G2. A map e^:G1×G2→GT is called a bilinear map if it satisfies the following properties:
Bilinearity: it holds that(3)e^gα,hβ=e^g,hαβ
for all α,β∈ZN.
Nondegeneracy: there exist g1∈G1,h1∈G2 such that e^(g1,h1)≠1.
Computability: there exists an efficient algorithm to compute e^(g1,h1) for any g1∈G1,h1∈G2.
2.3. Computational Assumptions
The computational assumption that is used for the construction of the PRF with closed form efficiency is decision linear (DL) assumption. We present the definition below.
Definition 1 (decision linear assumption).
Let G be a group of prime order p. Given g0,g1,g2∈G and r0,r1,r2∈Zp, one defines the advantage of an algorithm A in deciding the decision linear problem in G as(4)AdvAdl=PrAp,g0,g1,g2,g1r1,g2r2,g0r1+r2=1-PrAp,g0,g1,g2,g1r1,g2r2,g0r0=1.One says that the decision linear assumption (t,ϵ) holds in G if for every t-time algorithm A one has AdvAdl≤ϵ.
Note that the decision linear assumption holds in generic bilinear groups. Relative proof can be found in [26].
Next we present the definition of co-CDH, which is the base for the security of our proposed schemes. The co-CDH assumption was first introduced in BLS signature scheme presented by Boneh et al. [27], as a natural extension of standard CDH problem in asymmetric bilinear pairing. It is defined as follows.
Definition 2 (co-CDH assumption).
Let (p,g,h,G1,G2,GT,e^) be as above in Section 2.2. Given random a,b∈Zp, one defines the advantage of an algorithm A in solving the co-CDH problem in G1,G2 as(5)AdvAco-cdh=PrAp,g,h,ga,hb=gaband one says that the co-CDH assumption (t,ϵ) holds in G1,G2 if for every t-time algorithm A one has AdvAco-cdh≤ϵ.
Note that when G1=G2, the co-CDH problem reduces to standard CDH.
3. Modelling CP-PVC
We use an amortized model [16] to construct our CP-PVC scheme. That is, the user (denoted by SU) shall invest a larger amount of computational work in a preprocessing phase in order to obtain efficiency during the computation outsourcing phase. The adversaries in a PVC protocol are two types, the cloud server (denoted by CS) and some “curious” verifiers (denoted by CV). The former is in lazy-but-honest model [28] and the latter is in honest-but-curious model. This is reasonable since, in practice, a rational commercial cloud service will try to minimize the computation it needs to do to pass the verification algorithm. And passing the verification algorithm is its priority because only in this way can it get the payback. Also since the verification is public, there will be some curious verifiers that perform the public verification algorithm and try to discover some secret information about the final result value.
A difference between the framework of PVC proposed by Parno et al. [16] and ours is that we address the confidentiality of the computational result. In the public verification phase, a bit is output instead of the result value. And the result value is obtained in the later phase called private retrieval. To realize confidentiality, the user needs to operate the target function in the preprocessing phase and obtain a secret key for retrieval and keep it secret.
Let F be a class of functions and F∈F. We define a confidentiality-preserving publicly verifiable computation (CP-PVC) protocol π via the following five algorithms:
KeyGen(1λ,F)→(SKF,EKF,PP): The randomized key generation algorithm takes as input a security parameter and the function F and as outputs a secret key SKF for the input delegation phase, an evaluation key EKF for the cloud server to compute the outsourced message, and the public parameter PP. This is done by the client.
ProbGen(PP,SKF,x)→(σx,VKx,RKx): Given the public parameter PP, the secret key SKF, and the input value x∈Domain(F), the randomized problem generation algorithm outputs a public value σx, which is the encoding of x, together with a public verification key VKx for nonclient parties to verify the correctness and a private retrieval key RKx for the client to retrieve final result F(x). This is done by the client.
Compute(EKF,σx)→σout: On inputting the evaluation key EKF together with the value σx, the randomized computation algorithm outputs a value σout. This is done by the worker (cloud server).
PubVer(PP,VKx,σout)→{accept,reject}: The deterministic public verification algorithm uses the public parameter PP and public verification key VKx to check whether the final result is correct and returns accept or reject accordingly. This is done by the nonclient verifiers.
PrivRet(PP,VKx,RKx,σout)→y: The deterministic private retrieval algorithm is run on input PP, VKx,RKx, and σout to compute a string y∈0,1∗∪{⊥}. Here, the special symbol ⊥ indicates that the public verification algorithm rejects the worker’s answer σout. This is done by the client.
A verifiable computation scheme should be both correct and secure. We give the definition of correctness and security in the following.
Definition 3 (correctness).
A confidentiality-preserving publicly verifiable computation protocol π is correct for a class of functions F if, for any F from F, any tuple (SKF,EKF,PP) output by KeyGen(1λ,F), any x chosen from Domain(F), any tuple (σx,VKx,RKx) output by ProbGen(PP,SKF,x), and any σout output by Compute(EKF,σx), the PubVer algorithm on input (PP,VKx,σout) outputs accept, and the PrivRet algorithm on input PP,VKx,RKx, and σout outputs y=F(x).
The security of a verifiable computation requires that the worker is not able to output an incorrect value that passes the PubVer or the PrivRet algorithm. We give the formal definition via the following experiment.
Definition 4 (security).
Let π be a confidentiality-preserving publicly verifiable computation scheme for a class of functions F, and assume that A is PPT adversaries. Consider Experiment EXPA[π,F,λ] for any F∈F below:
ExperimentEXPA[π,F,λ]
KeyGen(1λ,F)→$(SKF,EKF,PP);
Fori=1 to q,
A(PP,EKF,σx,1,VKx,1,…,σx,i-1,VKx,i-1)→xi;
ProbGen(PP,SKF,xi)→$(σxi,VKxi,RKxi);
A(PP,EKF,σx,1,VKx,1,…,σx,q,VKx,q)→x∗;
ProbGen(PP,SKF,x∗)→$(σx∗,VKx∗,RKx∗);
A(σx∗,VKx∗)→(σout∗);
PubVerVKx∗,σout∗→k;
PrivRet(σout∗,VKx∗,RKx∗)→y∗;
Ifk=acceptandy∗≠F(x∗),output1;elseoutput0.
A confidentiality-preserving publicly verifiable computation scheme π is secure for a class of functions F, if, for any F from F and any PPT adversary A, it holds that(6)PrEXPAπ,F,λ=1≤neglλ.Here negl represents a negligible function in λ.
Next we give the confidentiality definition of CP-PVC which is not defined in existing PVC frameworks [2, 16]. In this paper we focus on the confidentiality for final result, which means that the adversaries cannot learn any information about the value y=F(x) from the value σout output by Compute algorithm. Here the adversaries refer to the cloud server and any nonclient verifier. Since the cloud server has extra knowledge of the evaluation key compared with the nonclient verifiers, we only need to define the result confidentiality to cloud server. And the confidentiality to cloud server implicitly implies the confidentiality to nonclient verifiers. Notice that we do not emphasize the input privacy as a necessity in publicly verifiable computation. This is because, in some scenarios, input data is obtained from some public sources that can be accessed by anyone. However, we still present a loose definition on input privacy for multivariate function, which we call (δ-ϵ)-privacy. Intuitively, it means that, for a function with an input set of multi-independent variables, the probability that the adversary leans the values of a δ fraction of the input sets is ϵ. The definitions are as follows.
Definition 5 (result confidentiality).
A confidentiality-preserving publicly verifiable computation protocol π is result-confidential for a class of functions F if, for any F from F, any tuple (SKF,EKF,PP) output by KeyGen(1λ,F), any x chosen from Domain(F), any tuple (σx,VKx,RKx) output by ProbGen(PP,SKF,x), any σout output by Compute(EKF,σx), and any PPT adversary A, it holds that(7)PrAPP,EKF,VKx,σx,σout=Fx≤neglλ.
Definition 6 (δ-ϵ input privacy).
A confidentiality-preserving publicly verifiable computation protocol π for a class of multivariate functions F achieves δ-ϵ input privacy if, for any F from F, any tuple (SKF,EKF,PP) output by KeyGen(1λ,F), any input set x=xi1≤i≤m chosen from Domain(F), any tuple (σx,VKx,RKx) output by ProbGen(PP,SKF,x), any σout output by Compute(EKF,σx), and any PPT adversary A, it holds that(8)PrAPP,EKF,VKx,σx,σout=xj1≤j≤m′∣xj∈x,m′>δm≤ϵ+neglλ.
Finally, we give the definition of efficiency. Informally speaking, efficiency means that the total computational cost on the client side by engaging the CP-PVC scheme is less than that of executing the direct algorithm to compute the target function. In the amortized model, since the KeyGen is done once and amortized by multiple function evaluation with different input value, this part of computational overhead does not need to be counted in.
Definition 7 (efficiency).
A confidentiality-preserving publicly verifiable computation protocol π for a class of multivariate functions F is efficient if, for any F from F and any x chosen from Domain(F), the total computational cost of algorithms ProbGen and PrivRet is less than that of directly evaluating F on x.
4. The CP-PVC Scheme for Polynomial Evaluation
In this section, we first review the construction of PRF in [29], showing that it is closed form efficient for polynomials in m variables and degree at most d in each variable. Then we present the corresponding algorithm for evaluating the PRF and its closed form efficiency. After that, we give the concrete construction of our CP-PVC scheme for polynomial evaluation together with the analysis and experimental simulation.
4.1. Algorithm for PRF with Closed Form Efficiency
Let G be a group generator that takes as input a secure parameter λ and outputs a description of group with prime order. Consider any polynomial p(x1,…,xm) that has m variables and degree at most d in each variable. Then the polynomial has totally l=(d+1)m monomials. Index them with tuple (i1,…,im), 0≤ij≤d. We say that the construction of PRFLW(KG,RK(i1,…,im)) admits the closed form efficiency for the following computation:(9)Polyri1,…,im0≤i1,…,im≤d,x1,…,xm=∏0≤i1,…,im≤dri1,…,imx1i1⋯xmim=gpx1,…,xmwhere p(·) is the polynomial whose coefficients are the discrete logs of the r values. If we set r(i1,…,im)=RK(i1,…,im), then there exists an algorithm CFEvalPoly,z(K,x1,…,xm) that can compute(10)gpx1,…,xm=∏0≤i1,…,im≤dRKi1,…,imx1i1⋯xmimin time O(mlogd), instead of the regular running time O(dm·mlogd).
The proof of the above claim can be found in [2]. Here we show the algorithm for evaluating the PRF as well as the polynomial P(x1,…,xm).
Let s=logd+1. The construction of PRF is the following algorithm:
KG(1λ,m,s): Run G(1λ) to generate a group description (p,g,G1). Choose 4ms+2 random values(11)y0,z0,ya,b,za,b,wa,b,va,b1≤a≤m,1≤b≤s←$Zp.
The algorithm outputs(12)K=y0,z0,ya,b,za,b,wa,b,va,ba,b.
The domain of the function is 0,…,dm, and the range is G1.
RK(·): Let i=(i1,…,im) be the input of the PRF. First interpret each ij=(ij,1,…,ij,s) as a binary string of s bits. Then run Algorithm 1.
Algorithm 1: PRF.
setRK1(i)=y0, RK2(i)=z0
forj=1 to m: do
fork=1 to s: do
ifij,k=0then
RK1(i)=RK1(i), RK2(i)=RK2(i)
else
RK1(i)=RK1(i)⋅yj,k+RK2(i)⋅zj,k
RK2(i)=RK1(i)⋅wj,k+RK2(i)⋅vj,k
end if
end for
end for
returngRK1(i)
Finally, the value of the PRF is RK(i)=gRK1(i). Let x=(x1,…,xm) be the input; the polynomial p can be written as(13)px1,…,xm=∑0≤i1,…,im≤dRK1i1,…,imx1i1⋯xmim.
Now we present the algorithm for evaluating the computation gp(x1,…,xm) in Algorithm 2. The derivation and proof can be found in [2].
Algorithm 2: CFEvalPoly(K,x1,…,xm).
set p1(x)=y0,p2(x)=z0
forj=1 to m: do
fork=1 to s: do
p1(x)=p1(x)+xj2k-1(p1(x)⋅yj,k+p2(x)⋅zj,k)
p2(x)=p2(x)+xj2k-1(p1(x)⋅wj,k+p2(x)⋅vj,k)
end for
end for
returngp1(x)
Finally, the value of gpx1,…,xm=gp1x. Note that the above algorithm makes totally ms times recursive operation. Thus its running time is O(ms)=O(mlogd), much faster than the regular running time O(dm·mlogd).
With the use of the above closed form efficient PRF in Algorithm 2, we can realize public verifiability by letting the PRF value be a part of the verification key. Then our remaining goal is to make this public verification process “blind”. Intuitively, to make the value F(x) confidential, one way is to encrypt the input value x. This is usually done in verifiable computation schemes. However such operation requires the homomorphic property of the encryption scheme, and encryption schemes with better homomorphic property are usually less efficient. Therefore, here we consider the way to blind the target polynomial F. We use two sparse m-variate polynomials A(x) and B(x) to randomize the target polynomial. Here sparse means that the degree of the polynomial is 1 and there are at most m terms of monomials that are nonzero. Thus the value of F(x) is covered under A(x) and B(x), and the computational overhead of A(x) and B(x) is O(m).
4.2. Construction of CP-PVC for Polynomial Case
Now, we present our concrete scheme of CP-PVC for multivariate polynomials F with m variables and degree at most d′ of each variable. In the case, F has totally at most w=d′+1m terms of monomial. Assume T(x)=A(x)F(x)+B(x). Let the degree of each variable be at most d and the total terms of monomial be l=d+1m, and for 1≤jT≤l write jT=i1T,…,imT with 0≤ikT≤d; then we can represent T(x) by ∑jT=1lt^jT·tjT(x), where tjT(x) represents each monomial and t^jT represents the coefficient correspondingly. Similarly, represent A(x) and B(x) by ∑jA=12ma^jA·ajA(x) and ∑jB=12mb^jB·bjB(x), respectively. The CP-PVC scheme works as follows:
KeyGen: For parameter λ, the client runs a bilinear group generator Ge(1λ) to generate a bilinear tuple (p,g,h,G1,G2,GT,e^). Choose a tuple a^jA,b^jB1≤jA,jB≤2m←$G1.
The client runs PRF key generation algorithm KG(1λ,⌊logd⌋+1,m) to generate a key K and the range in G1. Choose a random α∈Zp, and compute(14)EjT=gα·t^jT·RKjT,∀jT=1,…,l.
Let E=(E1,…,El)∈G1l. The algorithm outputs(15)SKF=K,a^jA,b^jB1≤jA,jB≤2m,EKF=T,E,PP=eg,hα,e.
ProbGen: On inputting SKF=(K,a^jA,b^jB1≤jA,jB≤2m), PP=(eg,hα,e), and owning x, the client computes A(x),B(x) and CFEvalPoly(K,x1,…,xm)=gR(x). The algorithm outputs(16)σx=x,VKx=egRx,h,RKx=Ax,Bx.
Compute: On receiving EKF=(T,E) and σx=x, the cloud server computes y′=T(x)=∑jT=1lt^jT·tjT(x), V=∏jT=1lEjTtjT(x) and outputs(17)σout=y′,V.
PubVer: On receiving VKx=e(gR(x),h) and σout=(y′,V), the verifier checks the equation(18)eV,h=eg,hαy′·VKx.
The algorithm outputs accept if the above equation holds; otherwise it outputs reject.
PrivRet: On receiving VKx=e(gR(x),h), σout=(y,V), and owning RKx=(A(x),B(x)), the algorithm first runs the PubVer algorithm with VKx and σout. If the PubVer outputs accept, then compute y=(y′-B(x))/A(x) and return y as the output.
4.3. Security Analysis
Now we analyze the correctness, security, and confidentiality of the proposed CP-PVC scheme.
4.3.1. Correctness
Correctness is easy to prove. Let σout,VKx,RKx be as above; then(19)eV,h=e∏jT=1lEjTtjTx,h=e∏jT=1lgα·t^jT·RKjTtjTx,h=egαTx,h·egRx,h=eg,hαy′·VKx.
The above proves the correctness for evaluating y′=T(x), and this implies the correctness of y=(y′-B(x))/A(x)=F(x).
4.3.2. Confidentiality
We show that, for an adversarial cloud server with the information of (PP,EKF,VKx,σx,σout), the probability that it can extract the value of the result y is negligible; i.e., the result confidentiality holds for cloud server. This implies that the confidentiality also holds for any third party verifier since they have less information (EKF) than the cloud server does. To extract y=F(x), one way is directly from T(x). However, this requires the knowledge of (A(x),B(x)) which are parts of the retrieval key and kept secret. The other way is to discover the coefficients of the function F(·) and evaluate F on x since the input value x is a plain text stored in σx. We will show that under this circumstance the adversary cannot discover the coefficients of F with a nonnegligible probability. Let A,B,F be as follows:(20)Ax=∑jA=12ma^jA·ajAxBx=∑jB=12mb^jB·bjBxFx=∑jF=1d′+1mf^jF·fjFx
and then we have that(21)Tx=AxFx+Bx=∑jT=12m∑jT=jA+jFa^jAf^jF+b^jBtjTx+∑jT=2m+1l∑jT=jA+jFa^jAf^jFtjTx=∑jT=1lt^jTtjTx.
Comparing the coefficients and setting 2m=s of the above equation, we get a system(22)∑jA+jF=1a^jAf^jF+b^1=t^1⋮∑jA+jF=sa^jAf^jF+b^s=t^s∑jA+jF=s+1a^jAf^jF=t^s+1⋮∑jA+jF=la^jAf^jF=t^l.
Note that the above system does not have a unique solution in G1, and the coefficients of A(·) and B(·) are chosen uniformly at random from G1. This means that the probability to choose the correct coefficients is negligible, and thus the privacy of coefficients of F(·) is guaranteed, which makes the confidentiality of the final result hold.
4.3.3. Security
The security of the scheme is based on co-CDH assumption and the corresponding proof follows from that in [2]. We take it as an inspiration and define the following four games.
Game 0.
It is the same as ExperimentEXPA[π,F,λ].
Game 1.
It is similar to Game 0, with the difference that EKF contains coefficients randomly chosen from G1 instead of T.
Game 2.
It is similar to Game 1, with the difference that the ProbGen phase uses an inefficient algorithm ∏jT=1lRK(jT)tjT(x) instead of the CFEvalPoly(K,x1,…,xm) to evaluate VKx.
Game 3.
It is similar to Game 2, with the difference that each value RK(jT) is replaced by a random element RjT∈G1.
We use a hybrid way to perform the proof, with the following claims.
Corollary 4.
PrG0A=1=PrG1A=1.
Proof.
This claim holds in an obvious way, since the change of algorithm for evaluating VKX does not change the distribution of its values. Thus the probability that the adversary wins is the same in both Games 0 and 1.
Corollary 5.
PrG1A=1=PrG2A=1.
Proof.
The difference between Games 2 and 1 is the coefficients of the target function. According to the confidentiality proof, these coefficients are indistinguishable since A and B are chosen uniformly at random, thus sharing the same distribution in the view of the adversary.
Corollary 6.
|PrG2A=1=PrG3A=1|≤ϵprf, where ϵprf represents the probability in the pseudorandomness definition of PRF.
Proof.
The difference between Games 3 and 2 is that the output of PRF RK(x) is replaced by uniformly random elements in G1. According to the pseudorandomness property of PRF, the probability that an adversary A distinguishes the two values is no better than ϵprf.
Corollary 7.
PrG3A=1≤ϵcdh, whereϵcdhrepresents the probability that an adversary solves co-CDH problem.
Proof.
To prove this claim we need to show that if there exists a PPT algorithm that wins in Game 3 with a probability larger than ϵcdh, then one can build an efficient algorithm B with oracle access to A to solve the co-CDH problem with some nonnegligible probability. Assume that the group in co-CDH problem is described as (p,g,h,G1,G2,GT,e^) and the adversary is given a co-CDH tuple (ga,hb) with the exponents a,b chosen randomly from Zp; the algorithm B works as follows.
First, B needs to simulate public parameter PP and evaluation key EKF. It computes the bilinear map e(ga,hb) and chooses 2l random elements t^jT,EjT1≤jT≤l. The simulated public key PP=(e(ga,hb),e), and the simulated evaluation key EKF=(T,E)=t^jT,WjT1≤jT≤l. Since the W generated in Game 3 contains a PRF as a factor and the PRF enjoys pseudorandomness, it is clear that the PP and EKF generated above enjoy a perfect distribution as that in Game 3.
Second, B gives the simulated PP and EKF to A and prepares to simulate the answers to the queries from A. A difference here is that B does not need to generate the retrieval key RK in querying phase as that in Game 3 because A does not have access to RK, neither does B need this RK to solve the co-CDH problem. Let xi(1≤i≤q) be the querying value. B first computes UjT=e(EjT,h)/ega,hbt^jT and then computes VKxi=∏jT=1lUjTtjT(xi). Since in Game 3,(23)eEjT,hegα,ht^jT=RKjT,combining the bilinear property of map e, it is clear that the simulated VKxi also enjoys a perfect distribution as that in Game 3. A is then given the corresponding verification key VKxi. Let x∗ be the challenge value chosen by A. The above process is repeated and A obtains VKx∗.
Finally, A will output a tuple σ^out∗=(y^,V^) such that(24)PubVerVKx∗,σout∗⟶k,PrivRetσout∗,VKx∗,RKx∗⟶y∗,
where k=accept and y∗≠F(x∗). Due to the correctness property, this y∗≠F(x∗) also implies that y^≠T(x∗). By k=accept we obtain that(25)eV^,h=ega,hby^·VKx∗.Let y=F(x∗) be the correct output of the PrivRet algorithm. Then by correctness we know y′=T(x∗) is also correct. Thus the following equation also holds:(26)eV,h=ega,hby′·VKx∗,where V=∏jT=1lEjTtjT(x∗).
Dividing (25) and (26) and combining bilinear property, we can obtain that(27)eV^V,h=egab,hy^-y′.Then B can compute gab=(V^/V)1/(y^-y′). Thus, if A wins Game 3 with probability ϵcdh, B solves the co-CDH problem with the same probability. This proves Claim 4.
Combining the four claims together, we obtain that(28)PrEXPAπ,F,λ=1≤ϵprf+ϵcdh.
4.4. Performance Analysis
In this subsection, we analyze the computational complexity of the proposed scheme and compare it with some existing works [2, 19]. Our scheme is efficient in the amortized model. That is, the expensive KeyGen algorithm is executed once and its computational overhead is amortized by the following evaluation of the polynomial function with different input value. Here the structure of the function cannot be changed unless another KeyGen algorithm for a different function is performed. Now we give detailed analysis on the computational costs of each algorithm. Let each letter denote the same item as that in the proposed scheme above. In the KeyGen phase, to compute the term EjT, the client needs to execute 2d′+2m+1 times of exponential modulo and d′+1m times of multiplication arithmetic in group G1. To compute the structure of function T(·), 2d′+1m times of multiplication and 2m times of addition arithmetic in N are executed. To generate the public key, one time of pairing arithmetic is executed. In the ProbGen phase, no execution needs to be done to generate σx since σx remains the same as input x. To generate the public verification key VKx, algorithm CFEvalPoly(·) is executed together with one time pairing arithmetic. And to generate the private retrieval key, the client needs to execute two times of (m-variate, 1-degree) sparse polynomial evaluation arithmetic. In the Compute phase, the cloud server needs to execute one time of (m-variate,d′+1-degree) polynomial evaluation arithmetic to compute y′ and d′+2m times of exponential modulo in group G1 to compute term V. In the PubVer phase, to compute the corresponding terms in the checking equation, the third party verifier needs to execute one time of pairing arithmetic, one time of exponential modulo arithmetic in GT, and one time of multiplication arithmetic in GT, respectively. Finally, in the PrivRet phase, the client firstly needs to execute what is done in PubVer phase and then execute, respectively, one time of subtraction and division arithmetic in N to compute the result y.
We present a complexity comparison between our scheme and existing works of PVC schemes for polynomial evaluation [2, 19]. After analyzing the specific arithmetic of each algorithm, We would like to use the notation O to compare computational complexity. Since the arithmetic operations in different groups are the same, we use three types of notation, OI,ON, and OE, to classify different types of complexity. OI denotes the time complexity of operations in ring Zp including integer addition and multiplication modulo prime p. ON denotes the time complexity of operations in ring N including addition and multiplication. OE denotes the time complexity of operations in group G1, G2, GT including multiplication, exponentiation, and bilinear map. The comparison result is shown in Table 1. From the table we can see that, compared with the scheme in [2], ours has a complexity increase of ON(d′m) in KeyGen, ON(m) in ProbGen, and ON(1) in PrivRet performed by the client. However, since the most expensive arithmetic in each of the three phases is OE(d′m), OI(mlogd′), and OE(1), respectively, the impact of the increasing complexity will not be obvious in the real performance. Compared with the scheme in [19], we first notice that the scheme in [19] only works for univariate case, while ours works for multivariate case. If we set “m=1”, the complexity of the two schemes is nearly the same, with a small increase of ON(1) in ProbGen and PrivRet, respectively, which is not the most expensive part in the two phases. By doing so, our scheme achieves a security property-result confidentiality that is considered to be important for user privacy.
Comparison of the three PVC schemes for polynomial evaluation.
FG12 [2]
EOA16 [19]
Ours
Problem size
m-variate, d′-degree
univariate, d′-degree
m-variate, d′-degree
KeyGen
OE(d′m)
OE(d′)+ON(d′)
OE(d′m)+ON(d′m)
ProbGen
OE(1)+OI(mlogd′)
OE(1)+OI(1)
OE(1)+OI(mlogd′)+ON(m)
Compute
OE(d′m)+ON(d′m)
OE(d′)+ON(d′)
OE(d′m)+ON(d′m)
PubVer
OE(1)
OE(1)
OE(1)
PrivRet
⊥
⊥
OE(1)+ON(1)
Result confidentiality
No
No
Yes
We also provide some experimental simulation of CP-PVC for polynomial to show the efficiency. Intuitively, efficiency means that the total computational overhead on the client side by engaging an outsourcing computation protocol is less than that by directly executing the target function algorithm. Since our scheme is constructed in an amortized model, i.e., the computations in KeyGen need to be done only once, we will not count that part of computation in the efficiency performance. Then for the client side, all the computation costs that are counted contain ProbGen and PrivRet phase. We implement the corresponding algorithms on the client side using MATLAB 2015 on a computer with Intel(R) Core(TM) i7-4790 CPU processor running at 3.60 GHz and 8 GB RAM. We show the time cost for different sizes of problems in Table 2, where m represents variable number and s represents bit length of the highest degree d′. This part of work is done in the previous conference version of this paper [24].
Times cost of the client [24].
m
s=10
s=50
s=200
s=1000
1000
0.0312s
0.0936s
0.1248s
0.4836s
5000
0.0624s
0.1716s
0.4836s
2.1372s
20000
0.1872s
0.5304s
1.7628s
8.3304s
100000
0.5460s
2.3712s
8.5956s
41.7614s
For comparison of efficiency, we also do some evaluation using the direct algorithm F(x)=∑jF=1wf^jF·fjF(x), where fjF(x) represents each monomial for polynomial F and w=2s+1m. The corresponding result is shown in Table 3, which is also done in the previous conference version [24]. We see that the cost time is already infinite when the case goes to s=50. This is reasonable because theoretically the complexity of the direct algorithm is O(m·2s). Recalling that the complexity of the way using closed form efficient PRF is O(ms), thus the scheme achieves a log time efficiency promoted for the evaluation of multivariate polynomials. We show in Figure 1 a time cost comparison between direct algorithm and outsourcing algorithm, in which case s=10; i.e., the degree of each variate is 210. This is also done in the previous conference version [24].
Times cost of direct algorithm [24].
m
s=10
s=50
s=200
s=1000
1000
3.28s
∞
∞
∞
5000
6.55s
∞
∞
∞
20000
19.65s
∞
∞
∞
100000
59.24s
∞
∞
∞
Time cost of different problem sizes [24].
5. The CP-PVC Scheme for Matrix-Vector Multiplication
In this section, we first review the PRF that is used for matrix-vector case and give the algorithm for its closed form efficiency. Then we give the concrete construction of our CP-PVC scheme for matrix-vector multiplication together with the analysis and experimental simulation.
5.1. Algorithm for PRF with Closed Form Efficiency
The PRF is defined in another domain, namely, the set [1,…,m]×[1,…,n].
Let G be a group generator that takes as input a secure parameter λ and outputs a description of group with prime order. The PRF is defined as follows:
KG(1λ,m,n): Run G(1λ) to generate a group description (p,g,G1). Choose 2(n+m) random values(29)Ai,Bi1≤i≤m←$G1,αj,βj1≤j≤n←$Zp.
The algorithm outputs(30)K=Ai,Bi,αj,βji,j.
RK(·): Let (i,j) be the input of the PRF. The algorithm outputs(31)RKi,j=AjαiBjβi.
The pseudorandomness holds under Decisional Linear assumption, and the corresponding proof is shown in [29]. We omit it here.
Now we consider the n-dimensional vector t→=(t1,…,tn)∈G, where ti=∏jri,jxj and (ri,j) forms an n×m matrix. We show that the construction of PRFM(KG,RK(i,j)) admits the closed form efficiency for the computation of vector t→. If we set ri,j=RK(i,j), then there exists an algorithm CFEvalMatrix(K,x1,…,xm) that can compute t→=(t1,…,tm) in time O(m+n), instead of the regular running time O(nm). The corresponding algorithm is shown in Algorithm 3.
Algorithm 3: CFEvalMatx(K,x1,…,xm).
set t→=Φ
A=∏j=1mAjxj
B=∏j=1mBjxj
fori=1 to n: do
ti=AαiBβi
end for
returnt→=(t1,…,tn)
With the use of the above closed form efficient PRF in Algorithm 3, we can realize public verifiability by letting the PRF value be a part of the verification key. Then our remaining goal is to make this public verification process “blind”. Inspired by the blinding technique in Chen et al.’s work [15], we can use a vector r→ to blind the real input r→ and a matrix N∈Zpn×m to blind the target matrix M and ask the cloud server to compute (M+N)(x→+r→). Thus the result is confidential and the public verification phase can be processed as usual. However, to retrieve the real result Mx→, the user needs to compute the value Mr→Nx→ and Nr→. This will cost three times the original computational task Mx→ does (O(nm)). To reduce the overhead of this computation, we can make the blinding vector and matrix sparse. The sparse matrix is like that in [15]. To make the result confidentiality solid, we usually set at least one nonzero element in each row of matrix N. For the sparse vector, we set randomly ⌈(1-δ)m⌉ (0<δ<1) positions 0. Then the computational overhead of Mr→, Nx→, and Nr→ is reduced to O(δnm), O(n), and O(δn). What is more, the blinding vector also preserves the privacy of input data to some extent.
5.2. Construction of CP-PVC for Matrix-Vector Case
Now, we present our concrete scheme of CP-PVC for matrix multiplication. Let p be a prime. Recall that our goal is to compute the n-dimensional vector y→=Mx→, where M is an n×m matrix denoted by (Mi,j) with entries from Zp. Such matrix-vector multiplication can be naturally extended to matrix-matrix multiplication by regarding the latter matrix as a row vector of column vectors and repeating the above matrix-vector multiplication several times. For matrix-vector multiplication Mx→, the CP-PVC scheme works as follows:
KeyGen: Let M=(Mi,j). For parameter λ, the client runs a bilinear group generator Ge(1λ) to generate a bilinear tuple (p,g,h,G1,G2,GT,e^). Choose a random sparse matrix N∈Zpn×m and set M′=M+N. The client then runs PRF key generation algorithm KG(1λ,m,n) to generate a key K and the range in G1. Choose a random α∈Zp, and compute(32)Ei,j=gα·Mi,j′·RKi,j,∀i=1,…,n;j=1,…,m.
Let E=(Ei,j)∈G1n×m. The algorithm outputs(33)SKF=K,N,EKF=E,M′,PP=e^,e^g,hα.
ProbGen: On inputting SKF=(K,N), PP=(e^,e^(g,h)α), and owning x→=(x1,…,xm)∈Zpm, the client randomly chooses a δ∈(0,1) and a sparse m-dimensional vector r→=(r1,…,rm)∈Zpm, where ⌈(1-δ)m⌉ coordinates of r→ are 0. Let x→′=x→+r→. Compute Mr→, Nx→, Nr→in O(δnm), O(n), O(δn) time, respectively, and compute ti=CFEvalMatx(K,x1′,…,xm′) in O(n+m) time using the closed form efficiency. Define vi=e^(ti,h) for i=1,…,n.
The algorithm outputs(34)σx=x→′,VKx=vi,…,vn,RKx=Mr→,Nx→,Nr→.
Compute: On receiving EKF=(E,M′) and σx=x→′, the cloud server computes y→′=M′x→′, wi=∏j=1mEi,jxj′ (for i=1,…,n) and outputs(35)σout=y→′,W=y1′,…,yn′,wi,…,wn.
PubVer: On receiving VKx=(vi,…,vn) and σout=(y→′,W), the verifier checks the following equation:(36)e^wi,h=e^g,hαyi′·vi,∀i=1,…,n.
The algorithm outputs accept if the above equation holds; otherwise, it outputs reject.
PrivRet: On receiving VKx=(vi,…,vn), σout=(y→′,W), and owning RKx=(Mr→,Nx→,Nr→), the client first runs the PubVer algorithm with VKx and σout. If the PubVer outputs accept, then compute y→=y→′-Mr→-Nx→-Nr→ and return y→ as the output.
Remark 8.
In order to be uniform, we assume that each entry of the matrix M and vector x→ is from ring Zp. However, when performing the arithmetic computation between matrix-matrix, vector-vector, and matrix-vector, the execution is actually done in the ring N. That is, the results are not in the form modulo prime p. This is to keep correctness of the computational result.
5.3. Security Analysis
Now we analyze the correctness, security, and privacy and confidentiality of the proposed CP-PVC scheme.
5.3.1. Correctness
Correctness is easy to prove. Let σout,VKx,RKx be as above. For i=1,…,n,(37)e^wi,h=e^∏j=1mEi,jxj′,h=e^∏j=1mgα·Mi,j′·RKi,jxj′,h=e^∏j=1mgαMi,j′xj′,h·e^∏j=1mRKi,jxj′,h=e^gαyi′,h·e^ti,h=e^g,hαyi′·vi.
The above proves the correctness for evaluating y→′=Mx→′, and this implies the correctness of y→=y→′-Mr→-Nx→-Nr→.
5.3.2. Result Confidentiality and Input Privacy
The result confidentiality is similar to the polynomial case. We prove that, given the tuple (PP,EKF,VK,σx,σout), the adversary cannot extract the result vector y=Mx.
Let M,N,x→,r→,y→,y→′ be as above; then we have that(38)yi=∑j=1mMi,j·xj
Notice that the blinding matrix has at least one nonzero element in each row, and the nonzero elements are all chosen uniformly at random. Thus the yi are all blinded by a random nonzero element, which makes the confidentiality of y→ hold.
As an additional bonus, the random sparse vector r→ that is added to the input x→ provides some preservation to the privacy of input value. Since the vector is sparse, with 1-δm coordinates being 0, such blinding operation may preserve the input privacy at a degree of 1-δ; namely, the adversary may successfully guess one entry of the input vector with this probability. However since the position of 0 elements is chosen at random, the probability of the adversary to recover 1-δ fraction of the input data is 1/mδm.
5.3.3. Security
The proof of the security follows that in [2]. We take it as an inspiration and define the following four games.
Game 0.
It is the same as ExperimentEXPA[π,F,λ].
Game 1.
It is similar to Game 0, with the difference that EKF contains an n×m random matrix from Zpn×m instead of N.
Game 2.
It is similar to Game 1, with the difference that the ProbGen phase uses an inefficient algorithm ∏j=1mRKi,jxj instead of the CFEvalPoly(K,x1,…,xm) to evaluate VKx.
Game 3.
It is similar to Game 2, with the difference that each value RK(i,j) is replaced by a random element Ri,j∈G1.
We use a hybrid way to perform the proof, with the following claims.
Corollary 4.
Pr[G0(A)=1]=PrG1A=1.
Proof.
This claim holds in an obvious way, since the change of algorithm for evaluatingVKXdoes not change the distribution of its values. Thus the probability that the adversary wins is the same in both Games 0 and 1.
Corollary 5.
PrG1A=1=PrG2A=1.
Proof.
The difference between Games 2 and 1 is the coefficients of the target matrix. According to the confidentiality proof, these coefficients are indistinguishable since each Ni,j is chosen uniformly at random, thus sharing the same distribution in the view of the adversary.
Corollary 6.
PrG2A=1=PrG3A=1≤ϵprf, whereϵprfrepresents the probability in the pseudorandomness definition of PRF.
Proof.
The difference between Games 3 and 2 is that the output of PRF RK(x) is replaced by uniformly random elements in G1. According to the pseudorandomness property of PRF, the probability that an adversary A distinguishes the two values is no better than ϵprf.
Corollary 7.
PrG3A=1≤ϵcdh, where ϵcdh represents the probability that an adversary solves co-CDH problem.
The proof of this corollary is the same as that in [2]; we omit it here.
Combining the four claims together, we obtain that(40)PrEXPAπ,F,λ=1≤ϵprf+ϵcdh.
5.4. Performance Analysis
We also analyze the computational complexity of the proposed CP-PVC scheme for matrix-vector multiplication and compare it with existing works [2, 19]. Analogous to polynomial case, we first give detailed analysis on the computational costs of each algorithm in matrix-vector multiplication case. Let each letter denote the same item as that in the proposed scheme above. In the KeyGen phase, to compute the term EjT, the client needs to execute 3nm+1 times of exponential modulo and 2nm times of multiplication arithmetic in group G1. To compute the matrix M′, since N is sparse, only n times of addition arithmetic in N are executed. To generate the public key, one time of pairing arithmetic is executed. In the ProbGen phase, the client first needs to execute δm times of addition arithmetic in N to get σx. To generate the public verification key VKx, algorithm CFEvalMatx(·) is executed together with n times of pairing arithmetic. And to generate the private retrieval key, the client needs to execute three times of matrix-vector multiplication arithmetic with computation complexity being O(δnm), O(n), and O(δn), respectively. In the Compute phase, the cloud server needs to execute one time of dense matrix-vector multiplication arithmetic to compute y′ and nm times of exponential modulo and n(m-1) times of multiplication in group G1 to compute term W. In the PubVer phase, to compute the corresponding terms in the checking equation, the third party verifier needs to execute n times of pairing arithmetic, n times of exponential modulo arithmetic in GT, and n times of multiplication arithmetic in GT, respectively. Finally, in the PrivRet phase, the client firstly needs to execute what is done in PubVer phase and then execute, respectively, three times of vector subtraction arithmetic in N to compute the result y.
Next we present a complexity comparison between our scheme and existing works of PVC schemes for matrix-vector multiplication [2, 19]. Similar to the polynomial case, We also use the notation O to compare computational complexity. According to the specific analysis of each algorithm, the arithmetic computations take place in ring N and group G1, G2, GT. Thus we only use two types of notation, ON and OE, where ON denotes the time complexity of operations in ring N including addition and multiplication and OE denotes the time complexity of operations in group G1, G2, GT including multiplication, exponentiation, and bilinear map. Let n×m be the problem size; then the comparison result is shown in Table 4. From the table we can see that, compared with the scheme in [2], ours has a complexity increase of ON(δnm) in ProbGen and ON(n) in PrivRet performed by the client. However, when the value of δ is small, the part ON(δnm) will be much less expensive than OE(n+m). And ON(n) is surely less expensive than OE(n). Therefore, by choosing a proper δ, the impact of the increasing complexity will not be obvious in the real performance. Compared with the scheme in [19], ours has a complexity increase of OE(n)+ON(δnm) in ProbGen and ON(n) in PrivRet performed by the client. If n≤m, or the difference between n and m is small, the complexity of OE(m) and OE(n+m) is nearly the same. Under this circumstance, our scheme can achieve a comparative performance with a small δ chosen. What is more, our scheme achieves result confidentiality and partial input privacy that are considered to be important for user privacy.
Comparison of the three PVC schemes for matrix vector multiplication.
FG12 [2]
EOA16 [19]
Ours
KeyGen
OE(nm)
OE(nm)+ON(nm)
OE(nm)+ON(n)
ProbGen
OE(n+m)
OE(m)
OE(n+m)+ON(δnm)
Compute
OE(nm)+ON(nm)
OE(nm)+ON(nm)
OE(nm)+ON(nm)
PubVer
OE(n)
OE(n)
OE(n)
PrivRet
⊥
⊥
OE(n)+ON(n)
Result confidentiality
No
No
Yes
Input Privacy
No
No
Partial
We also provide an experimental evaluation on the client side to show the efficiency compared with direct algorithm for matrix-vector multiplication. Different from that in polynomial case, we have a sparse coefficient δ in matrix-vector case. We choose different δ values and show the time cost for different sizes of problems in Table 5, which is done in the previous conference version of this paper [24]. Note that in the ProbGen phase, the time cost of VK generation is related only to n,m but not to δ. However, the time cost of RK generation is related to not only n,m but also δ. With a smaller δ, one can get a more efficient CP-PVC scheme, but this inevitably brings more risks to input privacy. This seems inherently a trade-off. Also, note that the computations in the PubVer and PrivRet phase are n times of bilinear map operation and three times of vector subtraction, respectively. This part of cost is too small to be counted in, so we omit it from the table.
Time cost under different δ values [24].
n×m
Original cost
VK_Gen
RK_Gen (δ=0.5)
RK_Gen (δ=0.2)
1000×50000
1.4508s
0.0077s
0.6864s
0.2652s
1000×100000
3.3228s
0.0156s
1.2728s
0.5460s
1000×200000
7.9092s
0.0312s
2.9484s
1.0764s
1000×400000
14.1683s
0.0624s
6.4428s
2.1840s
From the table we can see that, no matter what the choice of δ is, the total cost of VK generation and RK generation is much less than the original cost of matrix multiplication. Things can be more visualized in the column diagram of Figures 2 and 3 [24], where the volume of VK generation (blue) and RK generation (green) together is less than that of the original cost (red). Even when counting in the omitted time cost of PubVer and PrivRet phase, the CP-PVC scheme achieves an acceptable efficiency performance in practice.
Time cost of different problem sizes (×1000) when δ=0.5 [24].
Time cost of different problem sizes (×1000) when δ=0.2 [24].
6. Conclusion
We have proposed confidentiality-preserving publicly verifiable computation schemes for multivariate polynomial evaluation and matrix-vector multiplication. The proposed schemes achieve both public verifiability and result confidentiality, while the latter one also achieves partial input privacy. These security properties are considered to be important in practical application of publicly verifiable computation. With the experimental evaluation we have done, the scheme is also acceptable in practice.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work is supported by the National Nature Science Foundation of China under Grants No. 61272091 and 61772311.
RenK.WangC.WangQ.Security challenges for the public cloud201216169732-s2.0-8486290781010.1109/MIC.2012.14FioreD.GennaroR.Publicly verifiable delegation of large polynomials and matrix computations, with applicationsProceedings of the ACM Conference on Computer and Communications Security (CCS '12)October 2012ACM50151210.1145/2382196.23822502-s2.0-84869379879GennaroR.GentryC.ParnoB.Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers[M]20106223Springer, Berlin465482Lecture Notes in Comput. Sci.10.1007/978-3-642-14623-7_25MR2725609YaoA. C.Protocols for secure computations1982160164MR780394GentryC.Fully homomorphic encryption using ideal lattices2009Bethesda, Md, USAACM169178MR2780062Zbl1304.94059GentryC.Computing arbitrary functions of encrypted data20105339710510.1145/1666420.16664442-s2.0-77649240581Zbl1315.94074FioreD.GennaroR.PastroV.Efficiently verifiable computation on encrypted dataProceedings of the 21st ACM Conference on Computer and Communications Security, CCS 2014November 2014usa8448552-s2.0-84910661762LaiJ.DengR. H.PangH.WengJ.Verifiable Computation on Outsourced Encrypted Data20148712ChamSpringer International Publishing273291Lecture Notes in Computer Science10.1007/978-3-319-11203-9_16BenabbasS.GennaroR.VahlisY.Verifiable delegation of computation over large datasets[C]Proceedings of the Conference on Advances in CryptologySpringer, Heidelberg111131Lecture Notes in Comput. Sci.10.1007/978-3-642-22792-9_7MR2874866BackesM.FioreD.Reischuk RM.Verifiable delegation of computation on outsourced data[C]Proceedings of ACM Sigsac Conference on Computer & Communications Security2013826828ZhangL. F.Safavi-NainiR.Batch verifiable computation of outsourced functions2015772-356358510.1007/s10623-015-0092-4MR3403165Zbl1357.68052AnanthP.ChandranN.GoyalV.KanukurthiB.OstrovskyR.Achieving privacy in verifiable computation with multiple serversCwithout FHE and without pre-processing[C]20148383Springer, Heidelberg149166Lecture Notes in Comput. Sci.10.1007/978-3-642-54631-0_9MR3178635AtallahM. J.FrikkenK. B.Securely outsourcing linear algebra computationsProceedings of the 5th ACM Symposium on Information, Computer and Communication Security, ASIACCS 2010April 2010chn48592-s2.0-77954521120WangC.RenK.WangJ.WangQ.Harnessing the cloud for securely outsourcing large-scale systems of linear equations20132461172118110.1109/TPDS.2012.2062-s2.0-84877785052ChenX.HuangX.LiJ.MaJ.LouW.WongD. S.New algorithms for secure outsourcing of large-scale systems of linear equations201510169782-s2.0-8491689044210.1109/TIFS.2014.2363765ParnoB.RaykovaM.VaikuntanathanV.How to Delegate and Verify in Public: Verifiable Computation from Attribute-Based Encryption[C]Proceedings of the International Conference on Theory of Cryptography2012422439SunY.YuY.LiX.ZhangK.QianH.ZhouY.Batch verifiable computation with public verifiability for outsourcing polynomials and matrix computations9722Proceedings of the Part I of Information Security and Privacy - 21st Australasian Conference, ACISP 20162016Melbourne, VIC, AustraliaSpringer International Publishing29330910.1007/978-3-319-40253-6_18Zbl06620905PapamanthouC.ShiE.TamassiaR.Signatures of Correct Computation20137785Berlin, HeidelbergSpringer Berlin Heidelberg222242Lecture Notes in Computer Science10.1007/978-3-642-36594-2_13Zbl1315.94098ElkhiyaouiK.ÖnenM.AzraouiM.MolvaR.Efficient techniques for publicly verifiable delegation of computationProceedings of the 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016June 2016chn1191282-s2.0-84979681531AldermanJ.CidC.CramptonJ.Publicly Verifiable Outsourced Computation with a Key Distribution Centre[J]Eprint Arxiv, 2014:1406AldermanJ.JansonC.CidC.CramptonJ.Revocation in publicly verifiable outsourced computation20158957Springer, Cham5171Lecture Notes in Comput. Sci.10.1007/978-3-319-16745-9_4MR3368642Zbl06513578AldermanJ.JansonC.CidC.CramptonJ.Hybrid Publicly Verifiable Computation[M]2016Springer International Publishing147163YeJ.ZhangH.FuC.Verifiable delegation of polynomials20161822832902-s2.0-84947087322SunJ.ZhuB.QinJ.HuJ.WuQ.Confidentiality-preserving publicly verifiable computation201728679981810.1142/S0129054117400196MR3760952Zbl06842671BonehD.MironovI.ShoupV.Secure Signature Scheme from Bilinear Maps[M]2003Springer, Berlin9811010.1007/3-540-36563-X_7MR2080132BonehD.BoyenX.ShachamH.Short group signatures2004BonehD.LynnB.ShachamH.Short signatures from the Weil pairing[C]Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security2001Springer, Berlin514532GolleP.MironovI.Uncheatable Distributed Computations[C]. Topics in Cryptology - CT-RSA 20012001Proceedings of the The Cryptographer’s Track at RSA Conference 2001San Francisco, CA, USA425440LewkoA. B.WatersB.Efficient pseudorandom functions from the decisional linear assumption and weaker variantsProceedings of the 16th ACM Conference on Computer and Communications Security, CCS'09November 2009usa1121202-s2.0-74049161603